Ransomware attack targets Professional Finance Co., affecting 657 health care clients

A ransomware attack against Professional Finance Co. Inc., a Greeley-based accounts-receivable management company, has resulted in a data breach potentially affecting 657 of the company’s health-care-provider clients and almost two million individuals.

The breach, with more than 1.9 million individuals potentially affected, represents the second-biggest data breach affecting health care companies so far in 2022, according to the U.S. Department of Health and Human Services’ Breach Portal. A March attack against Shields Health Care Group Inc. of Massachusetts affected more than 2.4 million individuals.

The Professional Finance breach already has prompted four federal lawsuits accusing the company of failing to exercise reasonable care in securing customer and employee data. The lawsuits were filed in U.S. District Court in Denver and are seeking class-action status.

The ransomware attack occurred Feb. 26, but Professional Finance did not begin informing client health care providers until May 5, according to a Notice of Cybersecurity Incident posted on the company’s website.

“On Feb. 26, 2022, PFC detected and stopped a sophisticated ransomware attack in which an unauthorized third party accessed and disabled some of PFC’s computer systems,” according to the incident report. “PFC immediately engaged third party forensic specialists to assist us with securing the network environment and investigating the extent of any unauthorized activity. Federal law enforcement was also notified. The ongoing investigation determined that an unauthorized third party accessed files containing certain individuals’ personal information during this incident. PFC notified the respective health care providers on or around May 5, 2022.”

The company issued a press release about the data breach July 1.

PFC said it had “found no evidence that personal information has been specifically misused.” But data potentially accessed by the cyber attacker includes first and last name, address, accounts-receivable balance and information regarding payments made to accounts, according to the company. Additionally, date of birth, Social Security number, health insurance and medical-treatment…